Tag: Shared Responsibility Model

As a SaaS organization, you may be well-versed in the world of cloud computing and feel confident that the cloud is as secure as any on-prem or data center network — as you should. Cloud Service Providers (CSPs) have gone to great lengths to secure their infrastructure, employing in-house security teams with deep expertise and world-class security tools. Few SaaS companies alone can achieve the same level of collective cloud security prowess that an IaaS provider such as AWS or Azure can.

But security of the cloud is different from security inthe cloud, which is to say that you — as a SaaS organization — are not off the hook completely. The shared responsibility model that cloud providers subscribe to means that, while they are responsible for the security of cloud infrastructure, you are responsible for the security of your own data, platform, applications systems, and networks.

We hear (and at Threat Stack, we write) a lot about the shared security responsibility model. This is the idea that, when it comes to the cloud, businesses are responsible for the security of their data and applications in the cloud, while providers are responsible for the security of the cloud infrastructure.

But are companies prepared to take responsibility for their end of the bargain? How far do we still have to go to reach the promised land of a successfully shared responsibility model? Below, we’ll explore where we stand today and what it will take to reach that holy grail. Read more “Assessing the State of the Shared Responsibility Model”

Gone are the days when the majority of businesses could point to the cloud warily and say, “I think my data’s safer on-prem.” Organizations today are far less worried about how secure the cloud is in general, and this change in attitude has sped up cloud adoption to a great degree.

What has led to this more relaxed embrace of the cloud? In part, providers like AWS have gone to great lengths to codify and transparently communicate a Shared Responsibility Model that has expressly defined the scope and boundaries of responsibility. Increasingly, customers recognize that Amazon and its brethren have all-star teams that have a security focus ingrained in them. There’s a certain level of comfort that comes with knowing you are in good, experienced hands.

But, even as the cloud is proven to be quite secure and as confidence in it increases, Security and DevOps teams still have to be vigilant about their own workloads. Organizations have to pick up their end of the shared responsibility bargain — and in some cases, even take it a step further than what is required.

If you’re already on the Slack bandwagon, then you have probably experienced first-hand how it can make communications between teams far simpler and more streamlined. With 1.7 million daily active users, it’s clear Slack has come to dominate the team chat world, especially in tech and tech-savvy industries.

From a security perspective, Slack has done a solid job of keeping its assets on lock. In 2016, they scored Geoff Belknap from Palantir to become chief security officer. And they have been pretty transparent about their approach to security. They have dedicated a whole section of their website to it and published interviews with Belknap and others that delve into Slack’s precautions and philosophy around security. Belknap says, “My job is to worry. Professionally. So that our customers don’t have to.” We love that attitude!

The company has also gone to the trouble of certifying many of its products to meet stringent compliance regulations like FINRA, HIPAA, and SOC 2 and 3, which makes it a no-brainer for small teams and enterprises alike.

So, we feel that it’s perfectly possible for companies of all shapes and sizes to lean on Slack for team chat and ops without worrying too much about security. But, we also believe in the shared responsibility model when it comes to any form of online security. No one’s perfect, and Slack’s ubiquity and popularity mean that it will always be a target for cybercriminals looking to steal information.

There’s no need to run scared, but you do need to be smart about how you use this valuable tool. Here are our tips for running Slack securely at your organization. Read more “How to Stay Secure on Slack”

Amazon Web Services (AWS) has pioneered the Shared Responsibility Model in the cloud. Basically, this model outlines how cloud service providers and consumers of these cloud-based services should share responsibilities when it comes to ensuring security in the cloud. AWS and other cloud service providers (CSPs) are responsible for ensuring that cloud infrastructure is secure. Meanwhile, companies (those using the cloud services) are responsible for their data, networks, applications, and operating systems — anything they own that lives in the cloud.

Speaking recently in a Google webcast,U.S. CIO Tony Scott declared major cloud providers like Google, Amazon or Microsoft just as secure as the world’s largest financial institutions. He even implied that there’s no safer place to store data than in the cloud.

Keeping your cloud workloads secure, compliant, and protected while moving at the speed of DevOps is no easy task. Our team at Threat Stack knows this truth very well. There are many different viewpoints on the best approach to take to keep your customer data and systems protected in the cloud, and it all starts with understanding where your cloud provider’s responsibility for security ends and where yours begins. Let’s use AWS as an example throughout this post as they have a Shared Responsibility Model that demonstrates this well. Read more “What All DevOps Teams Should Know About The AWS Shared Responsibility Model”